On Fri, August 26, 2005 5:55 am, Edward Vermillion wrote: > Chris Shiflett wrote: > >> Because $_SERVER['SERVER_NAME'] can be manipulated by the user in >> some >> cases, you must consider $temp tainted at this point. >> > > I was under the the impression that the non-'HTTP_*' keys in the > $_SERVER array came from the server itself. Obvoiusly I'm wrong, but > I'm > curoius how 'SERVER_NAME' could be manipulated by the client. Is there > anything in the $_SERVER array that *can* be considered safe? Here is what little info I have in my brain on this topic... :-) When your browser requests: http://example.com/index.php what really happens is a more like doing this from a command shell: telnet example.com 80 [wait for a prompt, type the following] GET /index.php HTTP/1.0 Host: example.com [hit return again here] This last one, the "Host:" headers, is used by VirtualHost settings in Apache to determine which URL you actually want. But there's nothing to stop Bad Guy from doing this: telnet php.net 80 GET /index.php HTTP/1.0 Host: example.com At that point, if php.net responds at all, I *THINK* $_SERVER['SERVER_NAME'] might, depending on Apache configuration, be 'example.com' Or maybe not. But when you stop to think about all the sites that are hosted on multiple server farm setups, where a single domain is actually serviced by an army of computers due to the sheer volume, you realize that the 'SERVER_NAME' cannot POSSIBLY be the actual honest-to-god there-is-only-one IP address of a single computer that is responding. So odds are really good that in *SOME* situations, $_SERVER['SERVER_NAME'] is not particularly reliable. That may not be your situation ; It might be 100% reliable in YOUR situation. But do you really want to write code that might maybe someday get thrown into a different situation that has vulnerabilities in it? Disclaimer: I really have no idea how it could harm you, but if Chris Shifflett warns against it, don't do it. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
